Hey, Scripting Guy! I read with interest your blog post yesterday about using the Microsoft Windows PowerShell cmdlets to work with users in Active Directory. The problem is that I have a Windows 2008 domain controller, so the cmdlets do not appear to work for me. Is there something I can do to allow access to the Windows PowerShell cmdlets for Active Directory?

—IH

Hello IH,

Microsoft Scripting Guy Ed Wilson here. The week in Kauai, Hawaii, is shaping up to be a nice one. The Scripting Wife and I have enjoyed traveling the island. It is actually our fourth trip to the island, and one of our favorite spots for mellowing out and relaxing. I took the following photo from a dive boat on our last trip to the island.

The first thing to do is to check the level of the .NET Framework that is installed on the domain controller to be updated. It must be running .NET Framework 3.5 with Service Pack 1. One easy way to check for the .NET Framework version is via Control Panel/Programs and Features. If .NET Framework 3.5 SP1 is installed, it appears as shown in the following figure.

I download the Windows6.0-KB968934-x86.msu file from the Microsoft Download Center, as shown in the following figure.

After the file is downloaded, I run the program. The Windows Update standalone installer starts, and it searches for updated files. After about a minute or so, an error message appears. The message is the one shown in the following figure.

There are two hotfixes that are required (and there are three options available—a .NET Framework update and an operating system–specific update), but because I am running Windows Server 2008 with Service Pack 2 on my domain controller, the KB967574 hotfix is already installed, so I do not need to install that particular update.

The system requirements section is difficult to read (I have seen several forum postings attesting to this fact). The first hotfix applies to both Windows Server 2008 and Windows Server 2003. It is a hotfix that is described in KB article 969166, This is a .NET Framework 3.5 SP1 hotfix rollup. According to the KB article, the hotfix rollup is included in the .NET Framework 4.0. However, I have the .NET Framework 4 Client Profile and the .NET Framework 4 Extended updates, as well as all .NET 4 Framework updates, and the hotfix rollup from KB 969166 is not included in any of those packages. The good thing is that after installing the 969166 update, a reboot is not required and the installation will proceed with the dialog that appears here (assuming you have the other updates).

For Windows Server 2003 and Windows Server 2003 R2, there is a specific hotfix that is described in KB 969429 to help Windows 7 clients to be able to find the management gateway. The third hotfix that is listed applies to Windows Server 2008. This hotfix, KB 967574, applies if you have not installed Service Pack 2 on the system.

After the two updates are applied to the system and the Active Directory Management Gateway Service is installed, a reboot of the server is required. After the Windows 2008 domain controller completes the reboot and the Active Directory Management Gateway Service is running, I can connect to it with Windows PowerShell from my Windows 7 desktop. Before attempting this, I open the services.msc utility and verify that Active Directory Web Services service is created and running. This service is shown in the following figure.

One thing that does not happen is there is no ActiveDirectory module available on the Windows Server 2008 Domain Controller, or Windows Server 2003 Domain Controller. Therefore, even though the management gateway is created, it does not provide any of the Active Directory cmdlets. This normally is not a problem, because of the availability of the RSAT tools for Windows 7.

On my Windows 7 desktop, I use the following command to import the Active Directory module:

Import-module ActiveDirectory

When I press Enter, I get a progress dialog displayed in the Windows PowerShell console. This progress bar is shown in the following figure.

In yesterday’s Hey Scripting Guy blog article, I talked about an error that I sometimes receive when the ActiveDirectory module is unable to talk to the specific domain controller that authenticated my logon. With the installation of the Active Directory Management Gateway Service on my DC1 server, I no longer receive that error.

I decide to do a quick test to ensure that everything is working. First, I do a query for a user named ed, but I do not specify the server. The command and results are shown here:

PS C:\Users\ed.IAMMRED> Get-ADUser ed

DistinguishedName : CN=ed wilson,OU=Charlotte,DC=iammred,DC=net

Enabled : True

GivenName : ed

Name : ed wilson

ObjectClass : user

ObjectGUID : bb10b5a2-58d7-4f8a-ab10-2ee84fc7cb58

SamAccountName : ed

SID : S-1-5-21-1457956834-3844189528-3541350385-1103

Surname : wilson

UserPrincipalName : ed@iammred.net

Now I want to test a couple of my domain controllers to ensure they answer. I type two of the server names, pipe them to the ForEach-Object cmdlet (% is an alias), and inside the script block, I use the Get-ADUser command. I then select only the name attribute. The command and associated output are shown here:

Sweet! I looks like everything installed properly. Speaking of sweet, I think the Scripting Wife and I will head out and try to find a locally grown pineapple freshly gleaned from the ground. Sounds like super fun to me. Aloha.

IH, that is all there is to installing the Active Directory Management Gateway Service. Active Directory Week will continue tomorrow.

this are indeed helpful components for "older" domain controlers, that we still have up running in our company.

"If only i could sell this goodness to our adims!"

They won't install any "additional components" on their DCs :-(((

Klaus.

Ed Wilson

9 Sep 2011 11:13 PM

@Klaus I can understand not wanting to install additional components on a DC -- I don't either. The question is functionality -- if this is something that is useful, and that will reduce management overhead, it is something that should be done. If they will not use the functionality, then they should not do it. To me, the quick reboot is minimal downtime, and if paired during a scheduled maintenance period, it would be easy to do, and would offer great functionality.

Hi Ed, What would be the next line of attack if after installing all the packages and verfiying the services are running on Server 2008 Enterprise SP2, the ActiveDirectory module is not found and it is not listed in the "get-Module -list" output?

Joseph Parchem

17 Jan 2013 7:19 PM

This saved me a ton of time. Thanks much!

blog management service

28 Feb 2013 7:38 AM

Thanks for given me an useful information with suitable screenshot. Hope <a href="www.frequenweb.com/">blog management services</a> will look on it.

Nick S

20 Jun 2013 8:32 AM

thank you mate, your articles are awesome & you have saved me literally weeks of time over the last few years. Keep up the great work

I have a 2008 server SP2 32 bit. I have .NET Framework 3.5 SP1 installed, together with all updates. I have KB969166 installed. In spite of all that, when I run KB968934 I still get "update does not apply to your system". I have looked high and low for
a log file that can explain why the install is failing, but I have not found one.